Open yscialom opened 2 years ago
Related: https://github.com/AdguardTeam/AdGuardHome/issues/4681 Yet different: in issue 4681 AdGuardHome is (or seams to be) run as root, making those issues completely different.
@yscialom, hello. Unfortunately, we can't reproduce the issue, could you please share some setup details? How exactly do you run the AdGuard Home as non-root user? Do you login to the container as unpriveleged user or use some custom Dockerfile?
@EugeneOne1 I had to tweak the Dockerfile: https://github.com/yscialom/AdGuardHome/pull/1/files This is my ultimate goal, but I need this issue to be resolved beforehand.
(Issue description updated to better explain how to reproduce)
I have this problem as well, trying to run it inside a Debian LXC container.
root@adguard1:/var/log/AdGuardHome# cat /etc/systemd/system/AdGuardHome.service
[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/opt/AdGuardHome/AdGuardHome
After=syslog.target network-online.target
[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/opt/AdGuardHome/AdGuardHome "-s" "run"
WorkingDirectory=/opt/AdGuardHome
StandardOutput=file:/var/log/AdGuardHome/AdGuardHome.out
StandardError=file:/var/log/AdGuardHome/AdGuardHome.err
Restart=always
RestartSec=10
EnvironmentFile=-/etc/sysconfig/AdGuardHome
User=adguard
Group=adguard
[Install]
WantedBy=multi-user.target
root@adguard1:/var/log/AdGuardHome# ls -la .
total 14
drwxr-xr-x 2 adguard adguard 4 Oct 31 18:35 .
drwxr-xr-x 7 root root 15 Oct 31 18:35 ..
-rw-r--r-- 1 root root 530 Oct 31 18:41 AdGuardHome.err
-rw-r--r-- 1 root root 0 Oct 31 18:35 AdGuardHome.out
root@adguard1:/var/log/AdGuardHome# ls -la /opt/AdGuardHome
total 15072
drwxrwxrwx 2 adguard adguard 7 Oct 18 15:19 .
drwxr-xr-x 3 root root 3 Oct 31 18:30 ..
-rwxrwxrwx 1 adguard adguard 29188096 Oct 18 15:19 AdGuardHome
-rw-rw-rw- 1 adguard adguard 587 Oct 18 15:19 AdGuardHome.sig
-rw-r--r-- 1 adguard adguard 98824 Oct 18 15:19 CHANGELOG.md
-rw-r--r-- 1 adguard adguard 35149 Oct 18 15:19 LICENSE.txt
-rw-r--r-- 1 adguard adguard 21918 Oct 18 15:19 README.md
root@adguard1:/var/log/AdGuardHome# getcap /opt/AdGuardHome/AdGuardHome
/opt/AdGuardHome/AdGuardHome cap_net_bind_service,cap_net_raw=eip
root@adguard1:/var/log/AdGuardHome# cat AdGuardHome.err
2023/10/31 18:43:44 [info] AdGuard Home, version v0.107.40
2023/10/31 18:43:44 [info] service: control action: run
2023/10/31 18:43:44.765371 [info] AdGuard Home, version v0.107.40
2023/10/31 18:43:44.765382 [info] AdGuard Home is running as a service
2023/10/31 18:43:44.765394 [info] This is the first time AdGuard Home is launched
2023/10/31 18:43:44.765399 [info] Checking if AdGuard Home has necessary permissions
2023/10/31 18:43:44.765408 [fatal] This is the first launch of AdGuard Home. You must run it as Administrator.
root@adguard1:/var/log/AdGuardHome#
I was able to work around this issue by
It's now running happily on port 80/53.
root@adguard1:/var/log/AdGuardHome# nslookup dns.google 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: dns.google
Address: 8.8.8.8
Name: dns.google
Address: 8.8.4.4
Name: dns.google
Address: 2001:4860:4860::8844
Name: dns.google
Address: 2001:4860:4860::8888
root@adguard1:/var/log/AdGuardHome#
Also hitting this issue it seems. Any progress or something I can do to help the issue along? :)
Hello @QEDeD,
Could you please check the PR #4728 and see if there's something you can help with?
Issue Details
Context
docker pull adguard/adguardhome:latest
./AdGuardHome -v --version
:Description
Under docker, when running AdGuardHome as a non-root user, AdGuardHome displays the following and exits
Expected Behavior
Under docker, when running AdGuardHome as a non-root user with the NET_BIND_SERVICE capability granted, AdGuardHome starts normally.
How to reproduce
Edit AdGuardHome's Dockerfile (See this draft PR on yscialom/AdGuardHome), build and run with
docker run -e PUID=$(id -un) ...
.Preliminary Analysis
Non-root user can bind processes to ports <1024
This can be checked by running the following commands inside the docker container
Source Code
This error "This is the first launch of AdGuard Home. You must run it as Administrator." can be found in
internal/home/home.go:520
:with
CanBindPrivilegedPorts
defined ininternal/aghnet/net_linux.go:24
:with
unix.PrctlRetInt
being a binding on linux' system call prctl(2) reading:Additional tests are necessary to determine if
unix.PrctlRetInt
is bugged, badly called, or whatever. But one can be convinced that, in this scenario, AdGuardHome should be able to open port 53 and should not exist with an error.Why this issue matters
I discovered this issue while preparing a pull request to allow the docker flavour of AdGuardHome to run as a non-root user. This is indeed beneficial for two reasons:
Additional Information
Result of
./AdGuardHome -v --version